CVE-2024-6498: 
WordPress vulnerability analysis and mitigation

The Chatbot for WordPress by Collect.chat plugin before version 2.4.4 contains a Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on July 15, 2024, and was assigned CVE-2024-6498. The issue affects the plugin's settings functionality, where insufficient sanitization and escaping of input could allow privileged users to perform XSS attacks (WPScan, NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability specifically affects the plugin's settings page at /wp-admin/admin.php?page=collectchat, where certain settings are not properly sanitized or escaped (NVD).

The vulnerability allows high-privilege users such as administrators to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. This could potentially lead to the execution of arbitrary web scripts when users access affected pages (WPScan).

The vulnerability has been patched in version 2.4.4 of the Chatbot for WordPress by Collect.chat plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).